If you’ve worked with networking sometime in the last decade, I’m sure you’ve heard of this thing called IPv6. IPv6 has been around for quite a while, but it seems to be growing increasingly more popular as of late.
My focus on this article will be some of the challenges with security and IPv6, primarily those that Cisco IPv6 First-Hop-Security (FHS) solves.

Several times I’ve found myself looking at the network traffic traversing a customer’s network, asking if they use IPv6.
Unfortunately, most of the times the answer is no, even though I can see the Link-local and multicast addresses flying by my screen.
When I proceed to ask if they’ve added any security measurements in the network to protect against IPv6 attacks, the answer is mostly: “Why would we need any IPv6 security if we don’t use IPv6”? Read More »

Last week my colleagues and I were excited to deliver a 4-hour lab on IPv6 Security at Cisco Live London 2013. The training enabled students to correctly identify, classify, and deter or prevent the nefarious IPv6-specific behaviors. They did so by configuring network threat defense, countermeasures, and controls that were implemented and deployed on infrastructure devices as well as validate their effectiveness. Some of the nefarious behaviors included IPv6 spoofing, using IPv6 in IPv4 tunneling to bypass, and DDoS using IPv6 packets. This IPv6 security training was first delivered at Cisco Live USA 2012, where 19 students participated in the class. At Cisco Live London, we welcomed 21 Cisco Customers, giving them access to our lab-hosted equipment to practice and complete tasks covered during class. What follows are some key observations about our training in London as compared to our training in the U.S.: Read More »

In a previous blog, I discussed questions you should ask before peering with your SP and possible configuration options. Since the Internet edge is where this peering occurs, it should also be the first point where you start to apply your organization’s security policies. Security is a critical part of IPv6 integration because IPv6 opens up another transport path into your network.

With the proliferation of IPv6, its adoption and deployment, there are new security concerns that apply only to IPv6. Some of these security concerns rely on protocol differences between IPv4 and IPv6 and others exploit the diversification that the two technologies offer. The result could allow malicious users the ability to deploy attacks or evade network threat defense, countermeasures, and controls.

Join us, this Monday (June 11, 2012) afternoon, at Cisco Live, San Diego 4-hour lab session LTRSEC-3033 – Cyber Aikidō (合気道) Academy: IPv6 Network Threat Defense, Countermeasures, and Controls, to become more knowledgeable about basic inherent IPv6 security features and techniques on Cisco IOS Software and the Cisco ASA 5500 Series Adaptive Security Appliance (ASA). The students will acquire hands-on experience by configuring and testing these security features and techniques in simulated real world scenarios. The threats and protections that are presented apply to Local Area, Enterprise, and Service Provider networks. Students must correctly identify, classify, and deter or prevent the nefarious IPv6-specific behaviors by configuring network threat defense, countermeasures, and controls that will be implemented and deployed on infrastructure devices and validate their effectiveness.

At the conclusion of these labs, students will be more prepared to effectively implement and deploy basic inherent security features and techniques for identifying, classifying, deterring, and detecting attacks, threats, and nefarious behaviors specific to IPv6.

There are a growing number of large-scale IPv6 deployments occurring within enterprise, university, and government networks. For these networks to succeed, it is important that the IPv6 deployments are secure and the quality of service (QoS) must rival the existing IPv4 infrastructure. An important security aspect to consider is the local links (Layer 2). Traditional Layer 2 security differs between IPv4 and IPv6 because instead of using ARP—like IPv4—IPv6 moves the traditional Layer 2 operations to Layer 3 using various ICMP messages

IPv6 introduces a new set of technology link operations paradigms that differ significantly from IPv4. The changes include more end nodes that are permitted on the link (up to 2^64) and increased neighbor cache size on end nodes and the default router, which creates more opportunities for denial of service (DoS) attacks. There are also additional threats to consider in IPv6 including threats with the protocols in use, a couple of which are listed below:

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.